djohnston

A black-market vendor has claimed to have found a new zero-day vulnerability, an exploit for which he is selling on blackmarket forums, according to Krebs on Security. The vendor appeared to be selling information about the hole just 24 hours after Oracle had provided a patch, Java 7 Update 11, to close the other dangerous security hole that had begun surfacing at the end of 2012. Brian Krebs reports that the seller is offering an exploit for the vulnerability for $5,000 per person and is said to have already sold it to two interested parties. The seller was amused that "java has failed once again and let users get compromised".

Shortly after the release of Oracle's update, researchers at Immunity Products reported that only one of the two reported bugs was fixed in the update and that, although the patch did stop the exploit, "an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."

In the light of Immunity's findings and other security researchers' advice, US CERT maintained its recommendation to keep Java disabled in browsers because of the current spate of risks. Krebs' advice to also keep Java disabled had been questioned; he responds, noting that Oracle, despite its four day turnaround on the update, "lacks any kind of outward sign of awareness that its software is so broadly installed on consumer systems", and that users should "respond accordingly".

The US-CERT advisory has also been revised, noting that both open source implementations of Java, OpenJDK 7 and IcedTea 2 were also vulnerable to the problems. Ubuntu, for example, has already updated its OpenJDK packages.